- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- SAPXPG vulnerability
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
SAPXPG vulnerability
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2008 8:22 PM
We are concerned about a vulnerability of of using SAPXPG to issues OS commands to shutdown or otherwise tamper with the availability of the SAP system. Please advise of how to close this vulnerability.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2008 9:52 PM
Hi,
SAPXPG is really only ment to be used internally. As the ABAP system is platform independent it makes use of external RFC servers started by SAP Gateway to perform platform dependent tasks. One example is executing operating system commands using transaction SM49. There is no SAP standard scenario that would remotely require the SAP Gateway to start any of these external RFC servers. You can therefore restrict access as documented in [Security Settings in SAP Gateway|http://help.sap.com/saphelp_nw70/helpdata/EN/1c/468e2f161b4f96b5401f02d30943b1/frameset.htm] to local access only. Remote access is only required for remote registration of RFC servers.
Example configurations:
secinfo (control access to RFC servers started by SAP Gateway):
# allow only local calls from ABAP to RFC servers on the local application server itself:
USER=*, USER-HOST=local, HOST=local, TP=*;reginfo (control access to and from RFC servers registered by SAP Gateway):
# allow remote registration of RFC servers (TREX, IGS, etc.)
# check logged on clients in transaction SMGW to get a specific list of registered RFC servers on your system
TP=*Please also have a look at the documentation above.
Best regards,
Christian
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2008 9:52 PM
Hi,
SAPXPG is really only ment to be used internally. As the ABAP system is platform independent it makes use of external RFC servers started by SAP Gateway to perform platform dependent tasks. One example is executing operating system commands using transaction SM49. There is no SAP standard scenario that would remotely require the SAP Gateway to start any of these external RFC servers. You can therefore restrict access as documented in [Security Settings in SAP Gateway|http://help.sap.com/saphelp_nw70/helpdata/EN/1c/468e2f161b4f96b5401f02d30943b1/frameset.htm] to local access only. Remote access is only required for remote registration of RFC servers.
Example configurations:
secinfo (control access to RFC servers started by SAP Gateway):
# allow only local calls from ABAP to RFC servers on the local application server itself:
USER=*, USER-HOST=local, HOST=local, TP=*;reginfo (control access to and from RFC servers registered by SAP Gateway):
# allow remote registration of RFC servers (TREX, IGS, etc.)
# check logged on clients in transaction SMGW to get a specific list of registered RFC servers on your system
TP=*Please also have a look at the documentation above.
Best regards,
Christian
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2008 4:21 PM
